The 5 Hacking NewsLetter 33
Posted in Newsletter on December 25, 2018
Posted in Newsletter on September 3, 2018
Hey hackers! These are our favorite resources related to pentesting and bug hunting that we came across the last few days.
This issue covers the week from 24 to 31 of August.
The Complete Guide to CORS (In)Security by Bedefended
This is a comprehensive guide to CORS for security professionals. It’s the best document that I’ve seen on this subject, covering everything from an introduction to the basics of SOP (Same-Origin Policy) and CORS, to attacks and mitigations, with references to the existing research on this topic.
Christina Camilleri: Security Solutions Specialist for Riot Games | Play Makers Episode 6 by Travis Gafford
Wow, I could not get my eyes of Christina during this interview. I’m usually not into “My path to infosec”-type interviews but this one is fascinating: She shares stories of physical pentests, insights into social engineering, why security is so important for a video game company… all with glimmering eyes that are a testament to her passion!
Remote code execution by hijacking an unclaimed S3 bucket in Rocket.Chat’s installation script. by @EdOverflow
This is a simple bug but very creative!
My main takeway is to always carefully read the source code if you have access to it.
In the latest release of Rocket.Chat, an install.sh script contained a curl request to retrieve a file from an unclaimed S3 bucket. So by creating a bucket with the same name, Ed could make users download any files from his bucket.
getsploit by @VulnersCom
This is a simple but useful command-line tool to search for vulnerabilities listed in vulners.com, the same way searchsploit searches for vulnerabilities in exploit-db.com.
AWS Slurp Github Takeover by @SweetRollBandit
This is a good reminder to always read the source code of github repositories before executing any script file in them.
That said, if anyone has a copy of the real Slurp repo, would you please send it to me? I couldn’t find it anywhere!
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/17/2018 to 08/24/2018
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…